Restricted users can able to browse secure sites at restricted time

We have configured squid proxy server 2.6 STABLE in Fedora 6 box. We have given full time net access for particular users only. Remaining users will access the net at particular time only. But for skype access we have given access for all users. This is our code for skype access.

 acl Safe_ports port 80 # http
 acl Safe_ports port 21 # ftp
 acl Safe_ports port 443 563 # https, snews
 acl Safe_ports port 70 # gopher
 acl Safe_ports port 210 # wais
 acl Safe_ports port 1025-65535 # unregistered ports
 acl Unreg_ports port 1025-65535 # unregistered ports

 acl Safe_ports port 280 # http-mgmt
 acl Safe_ports port 488 # gss-http
 acl Safe_ports port 591 # filemaker
 acl Safe_ports port 777 # multiling http

 acl udpproto proto UDP

 http_access allow udpproto Safe_ports

For all users skype is working fine. The limited (limited net access users) time users can able access some secure sites like gmail,hotmail & many banking sites. I want to allow only skype access not secure websites for limited users at restricted time.
rajasekarramasamyAsked:
Who is Participating?
 
dennisonzConnect With a Mentor Commented:

Haven't tried this yet but its worth to try, to try to have skype use a different Port no instead of 443. Then remove 443 in your Safe_ports

Like for example:
 acl Safe_ports port 80 # http
 acl Safe_ports port 21 # ftp
 acl Safe_ports port 444 # skype
 acl Safe_ports port 70 # gopher
 acl Safe_ports port 210 # wais
 acl Safe_ports port 1025-65535 # unregistered ports
 acl Unreg_ports port 1025-65535 # unregistered ports

 acl Safe_ports port 444
 acl udpproto proto UDP
 http_access allow udpproto Safe_ports

0
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
Perhaps this thread can shed some light...

Multiple ACL time restrictions
http://www.squid-cache.org/mail-archive/squid-users/200105/0870.html
0
 
rajasekarramasamyAuthor Commented:
Hi mwecomputers,

I dont need solution for ACL Time restriction.

FYI

In our setup we have enabled skype access for the user having limited (Time restriction) net access.

For skype access via squid we need to allow https port 443 to connect skype via squid. If we enable this secure port the restricted users (Time restricted) can able to access secure sites during restricted time.

0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
I don't know if squid can accomplish what you are asking for... however...

An easy solution would be setting up an Untangle application server between your router and your internal network in transparent bridge mode. The Untangle appliance has a Web Content Control module that filters user access to specific Internet websites including setting time and user based policies (e.g. allow gmail access during lunch and outside business hours). The Web Content Control also enables you to choose among these categories to define web content control policies in your workplace. It can use custom URL blocklists for hosts, domains, and file types to block/filter additional content.

Untangle Site:
http://www.untangle.com/

Untangle Product Overview:
http://www.untangle.com/index.php?option=com_content&task=view&id=86&Itemid=179

Untangle Demo/Video Overview
http://www.untangle.com/video_overview/
0
 
rajasekarramasamyAuthor Commented:
I need a solution in squid only.
0
 
dennisonzCommented:

have you tried:

acl https_sites dst_domain "/etc/squid/https_sites"
http_access deny https_sites

the "/etc/squid/https_sites" contains:
.gmail
.hotmail.
."banking sites"



0
 
rajasekarramasamyAuthor Commented:
I tried with the your settings the users can able to browse. The problem is for skype i enable 443 (https) ports for all users (full time net users & limited net time users). The limited net time users can able to browse https (able to bowse only https sites) sites at restricted-browsing hours. This the problem i am facing. skype using only 443 ports to connect. is there any way to connect skype via squid without using 443 (https) port.

This is my config for skype connection in squid.

 acl Safe_ports port 443
 acl udpproto proto UDP
 http_access allow udpproto Safe_ports


Any solution?. It very urgent.
0
 
dennisonzCommented:

With the settings in my previous post, it would also block:

http://www.gmail.com
https://www.gmail.com

This is my settings in Squid and its working fine. Place this one after your config for skype connection.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.